Apple Inc. (NASDAQ:AAPL) has quietly closed a six-month-old flaw that was present in its Messages app. A new report has shown the severity of the flaw, which allowed the chat history to be exposed, including photos and videos, as long as the user could be tricked into clicking a malicious link.
The bug affected mostly Apple’s laptop and desktop users from September up to March. The longevity of the virus highlights how even big companies have trouble coping with securing sensitive data, without having to deal with external pressure from the government about special access.
Apple released a software update on March 24th which fixed the Messages vulnerability that caused the chat history to be compromised. They described the problem as ‘an issue…in the processing of JavaScript links… Clicking a JavaScript link can reveal sensitive user information.’ Full details of how to exploit the flaw came on Friday, when the team that discovered the flaw posted a technical write-up and code.
According to them, the problem was not with the Apple’s encryption system, which is well respected amongst cybersecurity experts, but was in the client systems that makes use of those systems. In this case, it was Apple’s message service, iMessage. The problem, however, was only targeting users with the El Capitan version, which meant iPhone and iPad users together with users of older versions of the OS X were not impacted.
Matthew Bryant, former security consultant at Bishop Fox, and co-author of the write-u p said, “People may overlook simple things like being able to exploit the client. That can also achieve the end goal of being able to steal information much the same way that is breaking crypto would,”
Users of the vulnerable version of the iMessage could be sent messages by any stranger. Apple decided to fix the flaw by simply choosing to block all hyperlinks which contained JavaScript.
Web browsers typically limit the reach of JavaScript code by providing it to a single originating web server. This is known as the “same origin policy” and Apple did not use it for iMessage.
One analyst said, “From a technical perspective, it doesn’t really make sense to implement the same-origin policy in native applications like Messages.”
Joe DeMesy, Bishop Fox associate penetration tester also said, “But abandoning the same-origin policy meant that JavaScript code embedded in Messages links had access to local files, which isn’t the case for JavaScript that is executed in a web browser. This allowed us to leverage the vulnerability in interesting ways that wouldn’t have been possible in the browser.”
